November 2, 2009 at 2:52 pm
After running my SQL Server Readiness script as part of a D.o.D. (IASE) process for hardening of SS and finding Security weaknesses and/or breaches.
There is one item that showed a requirement of remediation.
The DBMS software libraries contain the executables used by the DBMS
to operate. Unauthorized access to the libraries can result in malicious alteration or
planting of operational executables. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.
Check:
For SQL Server 2005:
SQL Server program files are installed in two places:
1. A subdirectory of Program Files directory named Microsoft SQL Server (
specified here as [PFdir])
2. The directory created for the specific instance (specified here as
[InstDir]).
This directory is specified in the registry for database engine instances under:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Microsoft SQL
Server \ Instance Names \ SQL
Administrators is in Security access list with Full Rights for this folder. Is this
a No-No? Thinking in terms of "Principle of Least Priviledge" necessary for basic operations.
Thanks,
Zee
SS DBA - General Dynamics I.T.
Atlanta, GA
November 2, 2009 at 2:57 pm
Are you asking if the database admins should have access to the folders with the SQL executables? Or are you asking about Windows/domain admins?
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
November 2, 2009 at 9:50 pm
You should be more concerned by who is a member of the Administrators group than the access that the Administrators group has on the local machine.
The Administrators group has numerous ways of gaining access to SQL Server data, so your best defense is to restrict membership to the smallest number of users needed to administer the system.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply